Blog

No, your LastPass has not been hacked

LastPass has not been hacked, obviously – but what happened? Yesterday, September 16th, I awoke and scrolled through several stories on my phone. “Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak.” was one of the first articles I saw. This scared the hell out of me! I read more and discovered that this “credential leak” was more of a credential challenge than anything else.

What is LastPass?

LastPassis a great tool to store your passwords securely online. And it really lives up to its namesake – LastPass made it so I only have to remember one password.

HumbleBundle had a package deal which included LastPass and that is how I became exposed to them. Previously, I had never used “LogMeIn” but likely had heard about them.

LastPass has not been hacked

LastPass offers a lucrative bounty for any security experts who can demonstrate an exploit in its’ service. One of Google’s Project Zero analysts discovered the exploit early that day and tweeted about it. The cybersecurity reporter at Forbes then drafted an excellent article about the exploit even including details regarding how the bridge in security could occur. Additionally, LastPass responded with an announcement about the fix.

The team at LastPass quickly pulled together and implemented a solution. But did anyone ever take advantage of the exploit while it was present? No, from the statement we can see that this would be a monumental task to achieve.

To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.